[whatwg] Sandboxing ideas
alexey at feldgendler.ru
Tue May 15 14:46:19 PDT 2007
On Tue, 15 May 2007 23:37:37 +0200, Jon Barnett <jonbarnett at gmail.com>
>> The OP probably meant that maintaining so many contexts would cause a
>> comparable deterioration in performance. All user comments should be
>> put in one security context.
>> With all comments grouped together in such a manner, you could even use
>> an inline frame.
> I really think comments are a bad use case. Why would someone allow
> scripts in comments in any context, much less a sandboxed one?
Sure, comments are probably an unrealistic example. But embedding
widget-like scripts in blog entries is, I think, realistic.
> The best use case I have thought of so far is MySpace et. al., a site
> where users have their own page with limited permission in the context
> of the overall site. MySpace solves this by not allowing scripts at
> all, as most such web sites do. If possible, such sites might allow a
> user to insert widget scripts with limited permissions. For this use
> case, iframe isn't ideal, either, but limited scripting and styling
> are desired.
There are contexts in which blog entries by multiple users are displayed
in one page (aggregation contexts like LiveJournal friends pages).
Technically this is equivalent to the example with comments: units of
content authored by different users needs to be protected from each other.
Alexey Feldgendler <alexey at feldgendler.ru>
[ICQ: 115226275] http://feldgendler.livejournal.com
More information about the whatwg